su is run a shell with substitute user and group IDs. su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The optional argument – may be used to provide an environment similar to what the user would expect had the user logged in directly.
Restricting su command to root superuser only is simple.
First, determining the path location of the binary is required using the following command
# which su
returns
~~~~~~~~~~~~~~~
/bin/su
~~~~~~~~~~~~~~~
Remember the current file mode bits and restrictions for su binary
# ls -la /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwxr-xr-x 1 root root 24284 Apr 28 2007 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Noticed that su binary is world executable and world readable. This basically means anybody can call and execute the su binary and gain access to perhaps stolen password with bash-enabled user accounts. If you wish to change this, you can issue the following command as follows
# chmod 700 /bin/su
So, only root and root alone can call su binary command.
Note that, it is not advisable to do this if your su binary is set to suid root, that has similar attributes like below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwsr-xr-x 1 root root 27052 2007-08-02 18:33 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
as it could affect some apps and package that links to suid root-ted su binary.
Unfortunately, a user can simply copy their own version of su to the server, running that one instead. This is also a common problem when attempting to lock down sudo. It’s always better to grant exclusive rights, rather than try to come up with a list of things to deny, because you’ll never think of them all.
A better solution is to put in the restriction at the PAM level. There are a few examples in the /etc/pam.d/su file on how to restrict su for a particular group.
I learned this little trick from a veteran Red Hat dev:
# addgroup wheel (add the wheel group)
# adduser wheel (add users to the new wheel group)
# chmod 4750 /bin/su (chmod su so only users in the wheel group can all it)
This will make it so that only the users in the wheel group will be able to call su.. it also prevents normal users from sitting and calling su repeatedly to try and guess the root password. Or you can simply install and use sudo and lock the root account.. can’t hack into a locked root account and hacking into a user account requires that you know the username 😉
IMHO, the best way to limit use of ‘su’ today is to simply uncomment the line about the wheel group in /etc/pam.d/su (on RH variants). I don’t remember the Debian way off the top of my head.
Modifying the permissions of the binary doesn’t get you very far at all; again, as mentioned above, someone could copy the ‘su’ binary from any other Linux machine.
You want to impose a system-wide policy about who can su, and PAM is a pretty good way. Using ‘sudo’ instead is another excellent option.
a working su that isn’t suid root sounds like a broken install to me.
If your su is not setuid to root, then it can only be used by root. There is no magic inside the su command, it grants users root access (or any other access) because it is setuid root, it authenticates the caller, and then does what the caller has asked.
Also, a general user can copy su from another machine, but they can’t set the required permissions (chown root, chmod u+s) to their su version to enable to work correctly.
Therefore, if you want to stop users from using su to gain root access, the original idea is correct. Change the permission to 4700 (read-write-execute-setuid) and the ownership to root.
The other ideas mentioned above, (pam, @wheel, etc) are also valid.
That said, you have a problem with users trying to brute force your root password, a LART is the answer to this problem (LART = Luser Attitude Readjustment Tool, eg a large metal pipe).
One final note – there are other tools that will gain a user root access, most notably sudo, but really, any program that authenticates a user (eg SSH, getty, etc) will allow someone to login as root unless its been disabled.